NSA, CISA and FBI Advisory: Russian SVR Targets U.S. and Allied Networks – April 2021

Executive Summary

Russian Foreign Intelligence Service (SVR) actors (also known as APT29, Cozy Bear, and The Dukes) frequently use publicly known vulnerabilities to conduct widespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access. This targeting and exploitation encompasses U.S. and allied networks, including national security and government-related systems.

Recent Russian SVR activities include compromising SolarWinds® Orion® software updates,[1] targeting COVID-19 research facilities through deploying WellMess malware,[2] and leveraging a VMware® vulnerability that was a zero-day at the time for follow-on Security Assertion Markup Language (SAML) authentication abuse.[3] SVR cyber actors also used authentication abuse tactics following SolarWinds-based breaches.[4] [5]

The SVR has exploited—and continues to successfully exploit—software vulnerabilities to gain initial footholds into victim devices and networks, to include:

• CVE-2018-13379 Fortinet®[2]
• CVE-2019-9670 Zimbra®[2]
• CVE-2019-11510 Pulse Secure®[2]
• CVE-2019-19781 Citrix®[2]
• CVE-2020-4006 VMware®[3]

The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) previously shared mitigations to defend against exploitation of these vulnerabilities. Knowing the tradecraft that nation-state cyber actors use along with relevant response actions will enable network defenders to focus on mitigating the vulnerabilities and techniques, enabling more comprehensive protection against adversary compromise. View the entire NSA, CISA and FBI Advisory: Russian SVR Targets U.S. and Allied Networks report and Five Vulnerabilities SVR is Exploiting Right Now and How to Stop Them infographic under Key Resources. 

Infographic